reference
[root@lsc ~]# vi /etc/yum.repos.d/lsc-project.repo # cat /etc/yum.repos.d/lsc-project.repo [lsc-project] name=LSC project packages baseurl=http://lsc-project.org/rpm/noarch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project # rpm --import http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project # yum install lsc Installed: lsc.noarch 0:2.1.3-0.el5
# yum install java-1.7.0-openjdk-devel Installation 1 Paquet (+71 Paquets en dépendance) Taille totale des téléchargements : 52 M Taille d'installation : 191 M Is this ok [y/d/N]: y Installé : java-1.7.0-openjdk-devel.x86_64 1:1.7.0.91-2.6.2.1.el7_1 Dépendances installées : GConf2.x86_64 0:3.2.6-8.el7 alsa-lib.x86_64 0:1.0.28-2.el7 atk.x86_64 0:2.8.0-4.el7 cairo.x86_64 0:1.12.14-6.el7 dbus-glib.x86_64 0:0.100-7.el7 flac-libs.x86_64 0:1.3.0-5.el7_1 fontconfig.x86_64 0:2.10.95-7.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 freetype.x86_64 0:2.4.11-10.el7_1.1 gdk-pixbuf2.x86_64 0:2.28.2-5.el7_1 giflib.x86_64 0:4.1.6-9.el7 graphite2.x86_64 0:1.2.2-5.el7 gsm.x86_64 0:1.0.13-11.el7 gtk2.x86_64 0:2.24.22-5.el7_0.1 harfbuzz.x86_64 0:0.9.20-4.el7 hicolor-icon-theme.noarch 0:0.12-7.el7 hwdata.x86_64 0:0.252-7.8.el7_1 jasper-libs.x86_64 0:1.900.1-26.el7_0.3 java-1.7.0-openjdk.x86_64 1:1.7.0.91-2.6.2.1.el7_1 java-1.7.0-openjdk-headless.x86_64 1:1.7.0.91-2.6.2.1.el7_1 javapackages-tools.noarch 0:3.4.1-6.el7_0 jbigkit-libs.x86_64 0:2.0-11.el7 libICE.x86_64 0:1.0.8-7.el7 libSM.x86_64 0:1.2.1-7.el7 libX11.x86_64 0:1.6.0-2.1.el7 libX11-common.noarch 0:1.6.0-2.1.el7 libXau.x86_64 0:1.0.8-2.1.el7 libXcomposite.x86_64 0:0.4.4-4.1.el7 libXcursor.x86_64 0:1.1.14-2.1.el7 libXdamage.x86_64 0:1.1.4-4.1.el7 libXext.x86_64 0:1.3.2-2.1.el7 libXfixes.x86_64 0:5.0.1-2.1.el7 libXfont.x86_64 0:1.4.7-3.el7_1 libXft.x86_64 0:2.3.1-5.1.el7 libXi.x86_64 0:1.7.2-2.1.el7 libXinerama.x86_64 0:1.1.3-2.1.el7 libXrandr.x86_64 0:1.4.1-2.1.el7 libXrender.x86_64 0:0.9.8-2.1.el7 libXtst.x86_64 0:1.2.2-2.1.el7 libXxf86vm.x86_64 0:1.1.3-2.1.el7 libasyncns.x86_64 0:0.8-7.el7 libdrm.x86_64 0:2.4.56-2.el7 libfontenc.x86_64 0:1.1.1-5.el7 libjpeg-turbo.x86_64 0:1.2.90-5.el7 libogg.x86_64 2:1.3.0-7.el7 libpciaccess.x86_64 0:0.13.1-4.1.el7 libpng.x86_64 2:1.5.13-5.el7 libsndfile.x86_64 0:1.0.25-9.el7 libthai.x86_64 0:0.1.14-9.el7 libtiff.x86_64 0:4.0.3-14.el7 libvorbis.x86_64 1:1.3.3-8.el7 libxcb.x86_64 0:1.9-5.el7 libxslt.x86_64 0:1.1.28-5.el7 lksctp-tools.x86_64 0:1.0.13-3.el7 mesa-libEGL.x86_64 0:10.2.7-5.20140910.el7_1.1 mesa-libGL.x86_64 0:10.2.7-5.20140910.el7_1.1 mesa-libgbm.x86_64 0:10.2.7-5.20140910.el7_1.1 mesa-libglapi.x86_64 0:10.2.7-5.20140910.el7_1.1 mozjs17.x86_64 0:17.0.0-10.el7 pango.x86_64 0:1.34.1-5.el7 pcsc-lite-libs.x86_64 0:1.8.8-5.el7 pixman.x86_64 0:0.32.4-3.el7 polkit.x86_64 0:0.112-5.el7 polkit-pkla-compat.x86_64 0:0.1-4.el7 pulseaudio-libs.x86_64 0:3.0-30.el7 python-javapackages.noarch 0:3.4.1-6.el7_0 python-lxml.x86_64 0:3.2.1-4.el7 ttmkfdir.x86_64 0:3.0.9-41.el7 tzdata-java.noarch 0:2015g-1.el7 xorg-x11-font-utils.x86_64 1:7.5-18.1.el7 xorg-x11-fonts-Type1.noarch 0:7.5-9.el7 Terminé ! # java -version java version "1.7.0_91" OpenJDK Runtime Environment (rhel-2.6.2.1.el7_1-x86_64 u91-b00) OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)
ref
Preparation d'un scenario de synchro de ldap evry vers ldap de fusion mines-telecom
[root@lsc lsc]# mkdir /etc/lsc/ldapevry2ldapimt [root@lsc lsc]# cd /etc/lsc/ldapevry2ldapimt [root@lsc ldapevry2ldapimt]# cp /etc/lsc/logback.xml . [root@lsc ldapevry2ldapimt]# cp /etc/lsc/lsc.xml . [root@lsc ldapevry2ldapimt]# vim lsc.xml
a suivre ldap2ldap lsc config plus bas
[root@lsc ldap2ldap]# yum install openldap-servers openldap-clients Installed: openldap-servers.x86_64 0:2.4.39-7.el7.centos openldap-clients.x86_64 0:2.4.39-7.el7.centos
recuperation de schema propres a nos usages accademiques
[root@lsc schema]# cp eduperson-200412.schema supann_2009.schema /etc/openldap/schema/
repertoire systeme où sera stocké la base ldap fusion des sources de synchro (initialement backen BDB à passer en lmdb …)
[root@lsc openldap]# vim slapd.conf # directory /var/lib/ldap/imt/ [root@lsc openldap]# mkdir /var/lib/ldap/imt/ [root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/ [root@lsc openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/imt/DB_CONFIG [root@lsc openldap]# chown ldap:ldap /var/lib/ldap/imt/DB_CONFIG
[root@lsc openldap]# systemctl enable slapd.service ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
s'assurer que le firewall est ouver sur ldap , exemple avec firewalld
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldap" log prefix="ldap_157_158" accept' # firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="157.158.0.0/16" service name="ldaps" log prefix="ldaps_157_158" accept' # firewall-cmd --reload
[root@lsc openldap]# vim /etc/rsyslog.conf [root@lsc openldap]# systemctl restart rsyslog.service [root@lsc openldap]# grep ldap /etc/rsyslog.conf local4.* /var/log/ldap.log
[root@lsc openldap]# ./olcgene.sh 565ad68c /etc/openldap/slapd.conf: line 208: rootdn is always granted unlimited privileges. 565ad68c /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. 565ad68c bdb_db_open: database "dc=mines-telecom,dc=fr": db_open(/var/lib/ldap/imt//id2entry.bdb) failed: No such file or directory (2). 565ad68c backend_startup_one (type=bdb, suffix="dc=mines-telecom,dc=fr"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) [root@lsc openldap]# ls -al /var/lib/ldap/imt/ total 19552 drwxr-xr-x 2 ldap ldap 4096 Nov 29 11:42 . drwx------ 3 ldap ldap 4096 Nov 29 11:11 .. -rw-r--r-- 1 ldap ldap 845 Nov 29 11:15 DB_CONFIG -rw------- 1 ldap ldap 2801664 Nov 29 11:42 __db.001 -rw------- 1 ldap ldap 17489920 Nov 29 11:42 __db.002 -rw------- 1 ldap ldap 1884160 Nov 29 11:42 __db.003 -rw-r--r-- 1 ldap ldap 2048 Nov 29 11:42 alock -rw------- 1 ldap ldap 8192 Nov 29 11:42 dn2id.bdb -rw------- 1 ldap ldap 32768 Nov 29 11:42 id2entry.bdb -rw------- 1 ldap ldap 10485760 Nov 29 11:42 log.0000000001 [root@lsc openldap]# tail -f /var/log/ldap.log Nov 29 11:42:20 lscimt slapd[3275]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 29 2015 13:31:12) $ mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd Nov 29 11:42:20 lscimt slapd[3276]: slapd starting [root@lsc openldap]# ps auwx |grep slapd ldap 3276 0.0 2.0 429780 5504 ? Ssl 11:42 0:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
fichier ldap represantant la racine de l'arbre de fusion ldap
# cat root-mt.ldif # mt dn: dc=mines-telecom,dc=fr dc: mines-telecom objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: mines-telecom.fr
insertion dans l'instance ldap imt
[root@lsc ~]# ldapadd -f root-mt.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password: adding new entry "dc=mines-telecom,dc=fr" [root@lsc ~]# tail -f /var/log/ldap.log Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 ACCEPT from IP=[::1]:47596 (IP=[::]:389) Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" method=128 Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 BIND dn="cn=admin,dc=mines-telecom,dc=fr" mech=SIMPLE ssf=0 Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=0 RESULT tag=97 err=0 text= Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 ADD dn="dc=mines-telecom,dc=fr" Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=1 RESULT tag=105 err=0 text= Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 op=2 UNBIND Nov 29 11:51:38 lscimt slapd[3276]: conn=1002 fd=11 closed
et de la sous branche people
[root@lsc ~]# vim people.ldif [root@lsc ~]# ldapadd -f people.ldif -H ldap://localhost -D cn=admin,dc=mines-telecom,dc=fr -WEnter LDAP Password: adding new entry "ou=people,dc=mines-telecom,dc=fr" [root@lsc ~]# cat people.ldif dn: ou=people,dc=mines-telecom,dc=fr changetype: add objectClass: organizationalUnit objectClass: top ou: people
contenu actuel de notre “coquille vide”
[root@lsc ~]# ldapsearch -x objectclass=* -H ldap://localhost -b dc=mines-telecom,dc=fr -D cn=admin,dc=mines-telecom,dc=fr -W dn -LLL Enter LDAP Password: dn: dc=mines-telecom,dc=fr dn: ou=people,dc=mines-telecom,dc=fr
le principe ici est de synchroniser des annuaires ldap vers un annuaire mutualisé assurant la fusion des annuaires d'etablissements dans des sous branches propres a l'etablissement .
Ici , on fait une exclusion des objectclass et attributs non indispensables a un annuaire pages blanches via le <dataset> objectclass :
[root@lscimt ldapevry2ldapimt]# cat lsc.xml
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<connections>
<ldapConnection>
<name>tem-tsp</name>
<url>ldap://ldapze.int.fr:389/dc=int,dc=fr</url>
<username>cn=adm,dc=int,dc=fr</username>
<password>secret</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>mines-telecom</name>
<url>ldap://127.0.0.1:389/dc=mines-telecom,dc=fr</url>
<username>cn=adm,dc=mines-telecom,dc=fr</username>
<password>secret</password>
<authentication>SIMPLE</authentication>
<referral>THROW</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>user</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>user-source-service</name>
<connection reference="tem-tsp" />
<baseDn>ou=people,dc=int,dc=fr</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>mail</string>
<string>sn</string>
<string>departmentNumber</string>
<string>employeeType</string>
<string>givenName</string>
<string>telephoneNumber</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson)(uid=martin*))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>user-dest-service</name>
<connection reference="mines-telecom" />
<baseDn>ou=evry,ou=people,dc=mines-telecom,dc=fr</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>objectClass</string>
<string>mail</string>
<string>sn</string>
<string>departmentNumber</string>
<string>employeeType</string>
<string>givenName</string>
<string>telephoneNumber</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(&(cn=*)(objectClass=inetOrgPerson))]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=inetOrgPerson)(cn={cn}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn")) + ",ou=evry,ou=people,dc=mines-telecom,dc=fr"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"inetOrgPerson"</string>
<string>"organizationalPerson"</string>
<string>"person"</string>
<string>"top"</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
[root@lsc ldapevry2ldapimt]# lsc -s user --config /etc/lsc/ldapevry2ldapimt/ 11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml] 11:41:14,248 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [file:/etc/lsc/ldapevry2ldapimt/logback.xml] 11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs multiple times on the classpath. 11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [file:/etc/lsc/ldapevry2ldapimt/logback.xml] 11:41:14,249 |-WARN in ch.qos.logback.classic.LoggerContext[default] - Resource [logback.xml] occurs at [jar:file:/usr/lib/lsc/lsc-core-2.1.3.jar!/logback.xml] nov. 30 11:41:14 - INFO - Reflections took 105 ms to scan 1 urls, producing 55 keys and 115 values nov. 30 11:41:15 - INFO - Logging configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/logback.xml nov. 30 11:41:15 - INFO - LSC configuration successfully loaded from /etc/lsc/ldapevry2ldapimt/ nov. 30 11:41:15 - INFO - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr nov. 30 11:41:15 - INFO - Connecting to LDAP server ldap://ldapze.int.fr:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr nov. 30 11:41:15 - INFO - Starting sync for user nov. 30 11:41:15 - INFO - # Adding new object cn=Guy BERNARD,ou=evry,ou=people,dc=mines-telecom,dc=fr for user # Mon Nov 30 11:41:15 CET 2015 dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr changetype: add employeeType:: UHJvZmVzc2V1ciBpbnZpdMOp mail: jacques.martin@tem-tsp.eu sn: MARTIN departmentNumber: INFO cn: Jacques MARTIN telephoneNumber: +33161764567 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: Jacques nov. 30 11:41:15 - INFO - All entries: 5, to modify entries: 5, successfully modified entries: 5, errors: 0
il est possible de modifier à la volée des valeurs d'attribut pour les rendre conforme a une syntaxte et nomenclature commune .
Exemple d'ajout d'un dataset qui modifie lors de la synchro la valeur d'attribut departmentNumber , ici si à la source departmentNumber contient MCI alors le transformer en DSI :
<dataset>
<name>departmentNumber</name>
<policy>FORCE</policy>
<forceValues>
<string><![CDATA[js:
var department = srcBean.getDatasetFirstValueById("departmentNumber");
if ( department == "MCI" ) { department = "DSI"; }
department;
]]></string>
</forceValues>
</dataset>
log associés a cette synchro
nov. 30 14:45:17 - INFO - # Updating object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user nov. 30 14:45:17 - INFO - # Updating object cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user # Mon Nov 30 14:45:17 CET 2015 dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr changetype: modify replace: departmentNumber departmentNumber: DSI - # Mon Nov 30 14:45:17 CET 2015 dn: cn=Albert MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr changetype: modify replace: departmentNumber departmentNumber: DSI - nov. 30 14:45:17 - INFO - All entries: 5, to modify entries: 2, successfully modified entries: 2, errors: 0
pour supprimer un compte il faut ajouter l'option
-c,--clean <arg> Cleaning type (one of the available
tasks or 'all')
et aussi s'assurer qu'il n'y a pas zero entrée dans la source , autrement lsc par sécurité ne supprime rien .
déc. 01 14:29:00 - INFO - Starting sync for user déc. 01 14:29:00 - ERROR - Empty or non existant source (no IDs found)
voici l'exemple de suppression d'une entrée à la source .
[root@lsc ldap2ldapmintel]# lsc -s user -c user --config /etc/lsc/ldap2ldapmintel/ ... déc. 01 15:21:52 - INFO - Reflections took 104 ms to scan 1 urls, producing 55 keys and 115 values déc. 01 15:21:52 - INFO - Logging configuration successfully loaded from /etc/lsc/ldap2ldapmintel/logback.xml déc. 01 15:21:52 - INFO - LSC configuration successfully loaded from /etc/lsc/ldap2ldapmintel/ déc. 01 15:21:52 - INFO - Connecting to LDAP server ldap://127.0.0.1:389/dc=mines-telecom,dc=fr as cn=adm,dc=mines-telecom,dc=fr déc. 01 15:21:52 - INFO - Connecting to LDAP server ldap://ldap4.tem-tsp.eu:389/dc=int-evry,dc=fr as cn=adm,dc=int,dc=fr déc. 01 15:21:52 - INFO - Starting sync for user déc. 01 15:21:52 - ERROR - Empty or non existant source (no IDs found) déc. 01 15:21:52 - INFO - Starting clean for user déc. 01 15:21:52 - INFO - # Removing object cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr for user # Tue Dec 01 15:21:52 CET 2015 dn: cn=Jacques MARTIN,ou=evry,ou=people,dc=mines-telecom,dc=fr changetype: delete déc. 01 15:21:52 - INFO - All entries: 6, to modify entries: 1, successfully modified entries: 1, errors: 0